Blame SOURCES/0005-providers-proxy-fixed-erroneous-free-of-orig_grp.patch

836b22
From e61f36189c4354a202f2b3bee86a026c7080690f Mon Sep 17 00:00:00 2001
836b22
From: Alexey Tikhonov <atikhono@redhat.com>
836b22
Date: Tue, 29 Jan 2019 12:13:30 +0100
836b22
Subject: [PATCH 5/9] providers/proxy: fixed erroneous free of orig_grp
836b22
MIME-Version: 1.0
836b22
Content-Type: text/plain; charset=UTF-8
836b22
Content-Transfer-Encoding: 8bit
836b22
836b22
Function `remove_duplicate_group_members(mem_ctx, orig_grp, new_grp)`
836b22
in case of empty orig_grp would return as a result:
836b22
```
836b22
*new_grp = talloc_steal(mem_ctx, orig_grp);
836b22
```
836b22
Since mem_ctx is freed in caller function that leads to deallocation
836b22
of orig_grp and to "use after free" bug.
836b22
836b22
Code was changes so remove_duplicate_group_members() behaves consistently
836b22
and always returns a new group created in given mem context.
836b22
836b22
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
836b22
836b22
cherry picked from commit cd1538bc92a319a19915d3a19efd9d5e013f7e75
836b22
and amended with
836b22
commit e1b678c0cce73494d986610920b03956c1dbb62a by Lukas Slebodnik
836b22
836b22
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
836b22
---
836b22
 src/providers/proxy/proxy_id.c | 70 ++++++++++++++++++----------------
836b22
 1 file changed, 38 insertions(+), 32 deletions(-)
836b22
836b22
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
836b22
index 3e8a43ad7..25e866bfb 100644
836b22
--- a/src/providers/proxy/proxy_id.c
836b22
+++ b/src/providers/proxy/proxy_id.c
836b22
@@ -597,8 +597,32 @@ static errno_t remove_duplicate_group_members(TALLOC_CTX *mem_ctx,
836b22
         return ENOMEM;
836b22
     }
836b22
 
836b22
+    grp = talloc(tmp_ctx, struct group);
836b22
+    if (grp == NULL) {
836b22
+        DEBUG(SSSDBG_OP_FAILURE, "talloc failed.\n");
836b22
+        ret = ENOMEM;
836b22
+        goto done;
836b22
+    }
836b22
+
836b22
+    grp->gr_gid = orig_grp->gr_gid;
836b22
+
836b22
+    grp->gr_name = talloc_strdup(grp, orig_grp->gr_name);
836b22
+    if (grp->gr_name == NULL) {
836b22
+        DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
836b22
+        ret = ENOMEM;
836b22
+        goto done;
836b22
+    }
836b22
+
836b22
+    grp->gr_passwd = talloc_strdup(grp, orig_grp->gr_passwd);
836b22
+    if (grp->gr_passwd == NULL) {
836b22
+        DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
836b22
+        ret = ENOMEM;
836b22
+        goto done;
836b22
+    }
836b22
+
836b22
     if (orig_grp->gr_mem == NULL) {
836b22
-        ret = ENOENT;
836b22
+        grp->gr_mem = NULL;
836b22
+        ret = EOK;
836b22
         goto done;
836b22
     }
836b22
 
836b22
@@ -607,7 +631,14 @@ static errno_t remove_duplicate_group_members(TALLOC_CTX *mem_ctx,
836b22
     orig_member_count = i;
836b22
 
836b22
     if (orig_member_count == 0) {
836b22
-        ret = ENOENT;
836b22
+        grp->gr_mem = talloc_zero_array(grp, char *, 1);
836b22
+        if (grp->gr_mem == NULL) {
836b22
+            DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n");
836b22
+            ret = ENOMEM;
836b22
+            goto done;
836b22
+        }
836b22
+        grp->gr_mem[0] = NULL;
836b22
+        ret = EOK;
836b22
         goto done;
836b22
     }
836b22
 
836b22
@@ -636,14 +667,8 @@ static errno_t remove_duplicate_group_members(TALLOC_CTX *mem_ctx,
836b22
 
836b22
     member_count = hash_count(member_tbl);
836b22
     if (member_count == 0) {
836b22
-        ret = ENOENT;
836b22
-        goto done;
836b22
-    }
836b22
-
836b22
-    grp = talloc(tmp_ctx, struct group);
836b22
-    if (grp == NULL) {
836b22
-        DEBUG(SSSDBG_OP_FAILURE, "talloc failed.\n");
836b22
-        ret = ENOMEM;
836b22
+        DEBUG(SSSDBG_CRIT_FAILURE, "Empty resulting hash table - must be internal bug.\n");
836b22
+        ret = EINVAL;
836b22
         goto done;
836b22
     }
836b22
 
836b22
@@ -673,32 +698,13 @@ static errno_t remove_duplicate_group_members(TALLOC_CTX *mem_ctx,
836b22
     }
836b22
     grp->gr_mem[i] = NULL;
836b22
 
836b22
-    grp->gr_gid = orig_grp->gr_gid;
836b22
-
836b22
-    grp->gr_name = talloc_strdup(grp, orig_grp->gr_name);
836b22
-    if (grp->gr_name == NULL) {
836b22
-        DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
836b22
-        ret = ENOMEM;
836b22
-        goto done;
836b22
-    }
836b22
-
836b22
-    grp->gr_passwd = talloc_strdup(grp, orig_grp->gr_passwd);
836b22
-    if (grp->gr_passwd == NULL) {
836b22
-        DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
836b22
-        ret = ENOMEM;
836b22
-        goto done;
836b22
-    }
836b22
-
836b22
-    *_grp = talloc_steal(mem_ctx, grp);
836b22
     ret = EOK;
836b22
 
836b22
 done:
836b22
-    talloc_zfree(tmp_ctx);
836b22
-
836b22
-    if (ret == ENOENT) {
836b22
-        *_grp = talloc_steal(mem_ctx, orig_grp);
836b22
-        ret = EOK;
836b22
+    if (ret == EOK) {
836b22
+        *_grp = talloc_steal(mem_ctx, grp);
836b22
     }
836b22
+    talloc_zfree(tmp_ctx);
836b22
 
836b22
     return ret;
836b22
 }
836b22
-- 
836b22
2.21.1
836b22